NAME
Dancer::Session::Cookie - Encrypted cookie-based session backend for
Dancer
VERSION
version 0.25
SYNOPSIS
Your config.yml:
session: "cookie"
session_cookie_key: "this random key IS NOT very random"
DESCRIPTION
This module implements a session engine for sessions stored entirely in
cookies. Usually only session id is stored in cookies and the session
data itself is saved in some external storage, e.g. database. This
module allows to avoid using external storage at all.
Since server cannot trust any data returned by client in cookies, this
module uses cryptography to ensure integrity and also secrecy. The data
your application stores in sessions is completely protected from both
tampering and analysis on the client-side.
CONFIGURATION
The setting session should be set to "cookie" in order to use this
session engine in a Dancer application. See Dancer::Config.
A mandatory setting is needed as well: session_cookie_key, which should
contain a random string of at least 16 characters (shorter keys are not
cryptographically strong using AES in CBC mode).
Here is an example configuration to use in your config.yml:
session: "cookie"
session_cookie_key: "kjsdf07234hjf0sdkflj12*&(@*jk"
Compromising session_cookie_key will disclose session data to clients
and proxies or eavesdroppers and will also allow tampering, for example
session theft. So, your config.yml should be kept at least as secure as
your database passwords or even more.
Also, changing session_cookie_key will have an effect of immediate
invalidation of all sessions issued with the old value of key.
session_cookie_path can be used to control the path of the session
cookie. The default is /.
The global session_secure setting is honoured and a secure (https only)
cookie will be used if set.
DEPENDENCY
This module depends on Session::Storage::Secure. Legacy support is
provided using Crypt::CBC, Crypt::Rijndael, String::CRC32, Storable and
MIME::Base64.
SEE ALSO
See Dancer::Session for details about session usage in route handlers.
See Plack::Middleware::Session::Cookie,
Catalyst::Plugin::CookiedSession, "session" in Mojolicious::Controller
for alternative implementation of this mechanism.
AUTHORS
* Alex Kapranoff
* Alex Sukria
* David Golden
* Yanick Champoux
COPYRIGHT AND LICENSE
This software is copyright (c) 2014 by Alex Kapranoff.
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.